The technical platform behind managed Linux at scale

Cybex combines an open device agent, reusable blueprints, policy inheritance and controlled rollouts to make Linux desktops manageable across schools, governments and companies.

See the architecture Read the open agent

Declarative

NixOS-based

Open agent

inspectable · signed

Auditable

who · what · when

01ARCHITECTURE_OVERVIEW

How the pieces fit together.

A central management system talks to a signed agent on every device. Policies and blueprints describe the desired state; the agent reconciles to it and reports back; every change lands in the audit trail.

POLICIES

Layered intent: base, site, blueprint, override.

BLUEPRINTS

Versioned, reusable device recipes.

AUDIT_TRAIL

Every change: who, what, when, where.

Cybex Management System

Device agent

Runs on each device. Reconciles state, reports facts. Open source.

Managed Linux devices

Desktops & laptops in their declared, reproducible state.

Check-ins

Heartbeats carry status, drift and hardware facts back up.

manage.cybex.net / dashboard LIVE · 09:41:55

Dashboard

Enrollments

Devices

Blueprints

Rollouts

Audit log

Dashboard

workspace · digitalpals

ALL_SYSTEMS_NOMINAL

FLEET_CONTROL_HEALTH

99%

220

HEALTHY

WARN

CRIT

DEVICES

223

PENDING

ROLLOUTS

NEEDS_ATTENTIONreview →

nx-7a41e0 · recoveredlab-3 · auto-remediatedOK

drift detected · 2 devicessite/rotterdam · reconcilingWARN

RECENT_ACTIVITYview_all →

adopt enrollment · nx-9c12d0just now · avery

publish lab-workstation r121m ago · jordan

advance rollout · stage 24m ago · system

02OPEN_AGENT

An agent you can read.

A signed Cybex agent runs on each managed device. It is open source, so security teams can verify exactly what it collects and what it changes — trust comes from inspection, not promises.

Runs on every deviceReconciles the device to its declared state and reports facts on check-in.

Open sourceRead it, build it, and run your own build if you choose.

Verifiable behaviorInspect exactly what the agent reads, changes and sends upstream.

github.com/CybexHQ

device · cybex-agent status

$ cybex-agent status

agent v0.9.2 · identity nx-7a41e0

channel stable 24.05 · signed ✓

reconcile in sync · drift 0

reports: os · packages · disk · posture

changes: declared state only

last check-in just now

03REFERENCE_DEVICE → BLUEPRINT

From one reference device to the whole fleet.

Configure a reference device or VM, let the agent snapshot the relevant configuration, and Cybex generates or updates a versioned blueprint — reviewable, reusable across groups, and rolled out under control.

Configure

Reference device or VM, set up by hand.

Snapshot

Agent captures the declarative state.

Generate

A versioned blueprint, ready to review.

Reuse

Assign to groups of devices.

Roll out

Review, then ship in stages.

reference-vm · cybex-agent

$ cybex snapshot --label lab-workstation

→ reading system configuration ✓

→ desktop: gnome · 41 packages ✓

→ users · policies · security posture ✓

→ hashing declarative state ✓

blueprint lab-workstation@r12 ready

publish? y

lab-workstation

blueprint · revision r12

PUBLISHED

DESKTOP

GNOME 46

PACKAGES

41 pinned

CHANNEL

stable 24.05

ASSIGNED

62 devices

snapshotted from reference-vm · 2m ago

04POLICY_MODEL

Four layers of intent, resolved per device.

Policy inherits from the broadest layer to the narrowest. The same model works for schools, companies and governments — only the contents differ. Select a layer to see what it controls.

Base Policy

ALL_DEVICES · ORGANIZATION-WIDE

The organization-wide baseline every device inherits first.

CONTROLS

05STAGED_ROLLOUTS

Ship to the fleet, one stage at a time.

Publish to a pilot group, watch fleet health, then advance — or roll back. Scroll to deploy lab-workstation@r12 across all 223 devices.

STAGE 1 / 3 0% 0 / 223 devices

STAGE_1 · PILOT11

STAGE_2 · EARLY56

STAGE_3 · FULL156

● ready to publish · scroll to deploy

06SECURITY_&_COMPLIANCE

Built so you can prove what's running.

The control plane gives security teams the evidence they need: what's deployed, what changed, and who changed it — without overclaiming certifications Cybex doesn't hold.

Device inventory

A live record of every managed device, its hardware and its kernel.

Configuration state

The exact declared state of each device — and any drift from it.

Update visibility

See which revision each device runs and what an update will change.

Audit logs

Every change is attributable: who, what, when, and which policy layer.

Controlled changes

Changes ship as reviewable, staged rollouts — never silent, never all at once.

Least privilege

Role-based access where it applies, so operators only touch what they should.

07HOSTING_&_RESIDENCY

European hosting, fully managed.

Cybex Cloud is a fully managed service, run for you in European datacenters — there's no software for you to host, patch or operate. And standardizing on open Linux means no proprietary-OS lock-in.

Fully managed

Cybex runs the control plane for you — nothing to install, patch or maintain yourself.

European operation

A European company, operated under European rules.

EU data residency

Your configuration, packages and audit trail are stored and processed inside the EU.

No OS lock-in

Standardize on open Linux instead of a proprietary platform.

08SUPPORTED_PLATFORMS

Linux first. Honest about the rest.

Cybex focuses on doing Linux device management properly before spreading thin. Here's what's available today and where it's heading.

Linux / NixOS

AVAILABLE

Desktops and laptops, built declarative-first on NixOS — the initial focus and where Cybex is most capable today.

Chromebooks

FUTURE DIRECTION

Chromebook support is a possible future direction, not a commitment for today. We won't promise a platform before it's real.

Ready to explore a managed path to Linux?

Talk to us about your migration, or read the open agent and see exactly how it works.

Request early access Read the open agent